Search:Vulnerability:02.05.2007

[EN] securityvulns.ru no-pyccku

ZoneAlarm personal firewall multiple security vulnerabilities updated since 17.04.2007
Published:		02.05.2007
Source:		BUGTRAQ
SecurityVulns ID:		7597
Type:		local
Threat Level:		5/10
Description:		Insufficient arguments validation for hooked functions allows privilege escalation.

Affected:		ZONELABS : ZoneAlarm Pro 6.5
CVE:		CVE-2007-2467 (ZoneAlarm Pro 6.5.737.000, 6.1.744.001, and possibly earlier versions and other products, allows local users to cause a denial of service (system crash) by sending malformed data to the vsdatant device driver, which causes an invalid memory access.)
		CVE-2007-2083 (vsdatant.sys in Check Point Zone Labs ZoneAlarm Pro before 7.0.302.000 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (system crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateKey and (2) NtDeleteFile functions.)

Original document		Matousec - Transparent security Research, ZoneAlarm Insufficient validation of 'vsdatant' driver input buffer Vulnerability (02.05.2007)
		Reversemode, [Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation (24.04.2007)
		IDEFENSE, iDefense Security Advisory 04.20.07: Check Point Zone Labs SRESCAN IOCTL Local Privilege Escalation Vulnerability (21.04.2007)
		Matousec - Transparent security Research, ZoneAlarm Multiple insufficient argument validation of hooked SSDT function Vulnerability (17.04.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:		02.05.2007
Source:
SecurityVulns ID:		7653
Type:		remote
Threat Level:		5/10
Description:		PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected:		SENDCARD : Sendcard 3.4
		GHH : GHH Portal 1.1
		WORDPRESS : myflash 1.00 plugin for WordPress
		WORDPRESS : wp-Table 1.43 module for WordPress
		WORDPRESS : wordTube 1.43 module for WordPress
		PSILABS : psipuss 1.0
		THEMERCHANT : The Merchant 2.2

Original document		eufrato_(at)_gmail.com, [ECHO_ADV_81$2007] wordpress plugins wordTube <= 1.43 (wpPATH) Remote File Inclusion Vulnerability (02.05.2007)
		eufrato_(at)_gmail.com, [ECHO_ADV_82$2007] wordpress plugins wp-Table <= 1.43 (inc_dir) Remote File Inclusion Vulnerability (02.05.2007)
		ettee, Sendcard (sendcard.php) Sendcard Local File Inclusion Vulnerability (02.05.2007)
		crackers_child_(at)_sibersavascilar.com, Wordpress plugin myflash <= V1.00 (wppath) RFI Vulnerability (02.05.2007)
		ilkerKandemir_(at)_mynet.com, E-Annu (home.php) Remote SQL Injection Vulnerability (02.05.2007)
		crazy_king_(at)_eno7.org, GHH Portal 1.1 (passwd.txt) Remote Password Disclosure Vulnerability (02.05.2007)
		suresync_(at)_gmail.com, Flaw in about.r OS and Progress version disclosure (02.05.2007)

Files:		psipuss 1.0 (editusers.php) Remote Change Admin Password Exploit
		2005-2006 The Merchant Project Remote File Include Exploit

Yate VoIP server DoS
Published:		02.05.2007
Source:		BUGTRAQ
SecurityVulns ID:		7654
Type:		remote
Threat Level:		5/10
Description:		NULL pointer dereference on absent "purpose" parameter of SIP "Call-Info" header.

Affected:		YATE : Yate 1.1
CVE:		CVE-2007-1693 (The SIP channel module in Yet Another Telephony Engine (Yate) before 1.2.0 sets the caller_info_uri parameter using a incorrect variable that can be NULL, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a Call-Info header without a purpose parameter.)

Original document

no-reply_(at)_radware.com, Radware Security Advisory - Yate 1.1.0 Denial of Service Vulnerability (02.05.2007)

VMWare host system files access directory traversal updated since 02.05.2007
Published:		02.05.2007
Source:		BUGTRAQ
SecurityVulns ID:		7655
Type:		local
Threat Level:		6/10
Description:		Because of directory traversal in "Shared folders" option, it's possible to access file of host system from guest system.

Affected:		VMWARE : VMware Workstation 5.5
CVE:		CVE-2007-1744 (Directory traversal vulnerability in the Shared Folders feature for VMware Workstation before 5.5.4, when a folder is shared, allows users on the guest system to write to arbitrary files on the host system via the "Backdoor I/O Port" interface.)

Original document

IDEFENSE, iDefense Security Advisory 04.27.07: VMware Workstation Shared Folders Directory Traversal Vulnerability (02.05.2007)

HP Power Manager Remote Agent privilege escalation
Published:		02.05.2007
Source:		BUGTRAQ
SecurityVulns ID:		7657
Type:		local
Threat Level:		5/10

CVE:

CVE-2007-2351 (Unspecified vulnerability in the HP Power Manager Remote Agent (RA) 4.0Build10 and earlier in HP-UX B.11.11 and B.11.23 allows local users to execute arbitrary code via unspecified vectors.)

Original document

HP, [security bulletin] HPSBMA02197 SSRT061285 rev.1 - HP-UX Running HP Power Manager Remote Agent (RA), Local Execution of Arbitrary Code with Root Privileges (02.05.2007)

Aventail Connect SSL VPN Client Buffer Overflow
Published:		02.05.2007
Source:		FULL-DISCLOSURE
SecurityVulns ID:		7658
Type:		client
Threat Level:		5/10
Description:		Buffer overflow in gethostbyname() family functions hoocked thorugh LSP on oversized hotname in any application.

Affected:

AVENTAIL : Aventail Connect 5.1

Original document

Thomas Pollet, [Full-disclosure] Aventail Connect SSL VPN Client Buffer Overflow (02.05.2007)

WinAMP memory corruption
Published:		02.05.2007
Source:		MILW0RM
SecurityVulns ID:		7659
Type:		client
Threat Level:		6/10
Description:		Buffer overflow on parsing .MP4 file.

Affected:		NULLSOFT : WinAMP 5.34
CVE:		CVE-2007-2498 (libmp4v2.dll in Winamp 5.02 through 5.34 allows user-assisted remote attackers to execute arbitrary code via a certain .MP4 file. NOTE: some of these details are obtained from third party information.)

Files:

Winamp <= 5.34 .MP4 File Code Execution

Office Viewer OCX multiple security vulnerabilities
Published:		02.05.2007
Source:		MILW0RM
SecurityVulns ID:		7660
Type:		client
Threat Level:		5/10
Description:		Multiple buffer overflows in different methods.

Affected:		OFFICEOCX : Office Viewer OCX 3.2
CVE:		CVE-2007-2496 (The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) DoOleCommand, (2) FTPDownloadFile, (3) FTPUploadFile, (4) HttpUploadFile, (5) GotoPage, (6) Save, (7) SaveWebFile, (8) HttpDownloadFile, (9) Open, (10) OpenWebFile, (11) SaveAs, or (12) ShowWordStandardDialog property value.)
		CVE-2007-2495 (Multiple stack-based buffer overflows in the ExcelOCX ActiveX control in ExcelViewer.ocx 3.1.0.6 allow remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) DoOleCommand, (2) FTPDownloadFile, (3) FTPUploadFile, (4) HttpUploadFile, (5) Save, (6) SaveWebFile, (7) HttpDownloadFile, (8) Open, or (9) OpenWebFile property value. NOTE: some of these details are obtained from third party information.)
		CVE-2007-2494 (Multiple stack-based buffer overflows in the PowerPointOCX ActiveX control in PowerPointViewer.ocx 3.1.0.3 allow remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) DoOleCommand, (2) FTPDownloadFile, (3) FTPUploadFile, (4) HttpUploadFile, (5) Save, (6) SaveWebFile, (7) HttpDownloadFile, (8) Open, or (9) OpenWebFile property value. NOTE: some of these details are obtained from third party information.)

Files:

PowerPointViewer.ocx v. 3.1.0.3 multiple methods Denial of Service

Trillian instant messenger multiple security vulnerabilities updated since 02.05.2007
Published:		19.05.2007
Source:		BUGTRAQ
SecurityVulns ID:		7656
Type:		remote
Threat Level:		6/10
Description:		Multiple security vulnerabilities on IRC handling lead to information leaks and buffer overflow. Buffer overflows on Rendezvous and XMPP protocols parsing.

CVE:		CVE-2007-2479 (Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers to obtain potentially sensitive information via long CTCP PING messages that contain UTF-8 characters, which generates a malformed response that is not truncated by a newline, which can cause portions of a server message to be sent to the attacker.)
		CVE-2007-2478 (Multiple heap-based buffer overflows in the IRC component in Cerulean Studios Trillian Pro before 3.1.5.1 allow remote attackers to corrupt memory and possibly execute arbitrary code via (1) a URL with a long UTF-8 string, which triggers the overflow when the user highlights it, or (2) a font HTML tag with a face attribute containing a long UTF-8 string.)
		CVE-2007-2418 (Heap-based buffer overflow in the Rendezvous / Extensible Messaging and Presence Protocol (XMPP) component (plugins\rendezvous.dll) for Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers to execute arbitrary code via a message that triggers the overflow from expansion that occurs during encoding.)

Original document		ZDI, TPTI-07-06: Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption (04.05.2007)
		IDEFENSE, iDefense Security Advisory 04.30.07: Cerulean Studios Trillian Multiple IRC Vulnerabilities (02.05.2007)